Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Analyzing an incident

    Analyzing an incident

    In Incidents & Events > Incidents > Incidents, select an incident or right-click an incident and select Analysis. Alternatively, you can double-click an incident to open the Incident Analysis pane. The Incident Analysis pane displays the incident's affected endpoint and user, audit history, attached events, reports, comments, and more.

    Note

    Some features of incident analysis are only available with the applicable license.

    You can perform the following actions from the toolbar in the Incident Analysis pane:

    Action

    Description
    Edit Layout

    Edit the layout of the widgets.

    You can toggle and resize widgets according to your needs. Select the number of Columns to use for the layout. Use Undo and Redo as you make your changes to the layout. Click Save to save the changes, or Reset to reset to the defaults.

    Export Incident

    Export the incident analysis as HTML or PDF.

    In the Export Incident pane, you can review a preview of the export. You can toggle to Include Events and set the Maximum Rows for tables in the export in this pane as well.

    Enrich

    Enrich an indicator within the incident. For more information, see Indicator enrichment.

    Execute Playbook

    Select a playbook to execute.

    In the Select Playbook to Run pane, you can select a playbook from the table view and click Run. If there are configurable parameters for the playbook, you will be asked to configure them in the Manually Run Playbook dialog.

    Run Report

    Run a report against the affected endpoint.

    In the Run Report pane, select the Endpoint, Report, and Time Period.

    Only reports with Auto Cache and Extended Log Filtering enabled can be run from an incident. For more information, see Reports Settings tab.

    To attach the report to the incident, see Adding reports to an incident.

    Quarantine

    Quarantine the affected endpoint.

    In the Quarantine Endpoint dialog, select the Endpoint and the Connector.

    Refresh

    Refresh the widgets.

    The Incident Analysis pane includes the following widgets:

    Widget

    Description

    Incident Summary

    General information about the incident.

    You can review and modify the following information:

    • Incident Number: The unique incident ID. This is displayed, but cannot be modified.

    • Incident Name: The name of the incident.

    • Incident Date/Time: The date and time that the incident was created. This is displayed, but cannot be modified.

    • Incident Update Date/Time: The date and time that the incident was last updated. This is displayed, but cannot be modified.

    • Incident Category: The incident category, including Unauthorized Access, Denial of Service (DoS), Malicious Code, Improper Usage, Scans/Probes/Attempted Access, and Uncategorized.

    • MITRE Tech ID: The techniques associated with the incident. These can be added via the dropdown list, which organizes the techniques by domain and tactic.

    • Severity: The severity of the incident, including High, Medium, and Low.

    • Status: The current status of the incident, including New, Analysis, Response, Closed: Remediated, and Closed: False Positive.

    • Affected Endpoint: The endpoint associated with this incident. This is displayed, but cannot be modified.

    • Description: A description of the incident provided by the administrator.

    • Assigned To: A dropdown menu of administrators to which the incident can be assigned.

    After making modifications, click Update to save your changes.

    Affected Endpoint/User

    		 Information about the affected endpoint/user. When multiple endpoints/users are associated with the incident, the total number is displayed and you can click the forward or backwards arrow on the tile to cycle between them.

    Comments

    Displays comments made by administrators for this incident with a timestamp. The most recent comments appear at the top of the list.

    Enter a comment and click POST to create a new comment.

    Existing comments can be edited and deleted by administrators.

    Affected Assets

    Displays affected asset(s) in a table view. Includes the endpoint, user, IP address, and MAC address of the asset.

    Click a user in the User column to display endpoint information in a separate dialog.

    Incident Timeline

    The timeline of the events raised for the incident.

    Scroll using your mouse wheel to change the displayed time frame. Mouse over the event to display a tooltip of its details.

    Events

    Displays the events that have been raised for this incident in a table view. You can use the search bar to search for events; toggle Match Case and Use Regular Expression using the icons in the search bar.

    You can perform the following actions after selecting an event:

    • View Logs: Open the View Logs pane, display the related logs for the event in a table view.

    • Search in Log View: Open Log View filtered by the event in a new tab.

    • Delete: Delete the event.

    Audit History

    Displays the history of changes made to an incident, including the user who made the change and information about the type of change that was made.

    Click Expand All to see additional details.

    Executed Playbooks

    The history of executed playbooks related to the incident.

    Click Execute Playbook to run a playbook configured with the On_Demand trigger. See Automation.

    Indicators

    Displays indicators attached to an incident from FortiGuard, FortiMail, or event handlers.

    Hover your mouse over an indicator to view detailed information from FortiGuard or click Details under Results to view information from FortiMail including sender reputation and email statistics.

    Indicator information can be attached to incidents using the FortiGuard and FortiMail connector in playbooks, or when an incident is created from an event that includes indicators identified in the event handler.

    Reports

    Attach and manage reports related to this incident. The reports are displayed in a table view, listing the report name, format, time range, and devices.

    See Adding reports to an incident.

    Processes

    Displays endpoint processes associated with this incident including the process ID, process path, and network connection.

    Select a time period to view by choosing a snapshot from the snapshot dropdown.

    Processes can be displayed in a table format or as raw data.

    Software

    Displays endpoint software associated with this incident including the software, installation path, and installation time.

    Select a time period to view by choosing a snapshot from the snapshot dropdown.

    Software can be displayed in a table format or as raw data.

    Vulnerabilities

    Displays endpoint vulnerabilities associated with this incident including the vulnerability name, ID, severity, and category.

    Select a time period to view by choosing a snapshot from the snapshot dropdown.

    Vulnerabilities can be displayed in a table format or as raw data.

    Previous
    Next

    Analyzing an incident

    Analyzing an incident

    In Incidents & Events > Incidents > Incidents, select an incident or right-click an incident and select Analysis. Alternatively, you can double-click an incident to open the Incident Analysis pane. The Incident Analysis pane displays the incident's affected endpoint and user, audit history, attached events, reports, comments, and more.

    Note

    Some features of incident analysis are only available with the applicable license.

    You can perform the following actions from the toolbar in the Incident Analysis pane:

    Action

    Description
    Edit Layout

    Edit the layout of the widgets.

    You can toggle and resize widgets according to your needs. Select the number of Columns to use for the layout. Use Undo and Redo as you make your changes to the layout. Click Save to save the changes, or Reset to reset to the defaults.

    Export Incident

    Export the incident analysis as HTML or PDF.

    In the Export Incident pane, you can review a preview of the export. You can toggle to Include Events and set the Maximum Rows for tables in the export in this pane as well.

    Enrich

    Enrich an indicator within the incident. For more information, see Indicator enrichment.

    Execute Playbook

    Select a playbook to execute.

    In the Select Playbook to Run pane, you can select a playbook from the table view and click Run. If there are configurable parameters for the playbook, you will be asked to configure them in the Manually Run Playbook dialog.

    Run Report

    Run a report against the affected endpoint.

    In the Run Report pane, select the Endpoint, Report, and Time Period.

    Only reports with Auto Cache and Extended Log Filtering enabled can be run from an incident. For more information, see Reports Settings tab.

    To attach the report to the incident, see Adding reports to an incident.

    Quarantine

    Quarantine the affected endpoint.

    In the Quarantine Endpoint dialog, select the Endpoint and the Connector.

    Refresh

    Refresh the widgets.

    The Incident Analysis pane includes the following widgets:

    Widget

    Description

    Incident Summary

    General information about the incident.

    You can review and modify the following information:

    • Incident Number: The unique incident ID. This is displayed, but cannot be modified.

    • Incident Name: The name of the incident.

    • Incident Date/Time: The date and time that the incident was created. This is displayed, but cannot be modified.

    • Incident Update Date/Time: The date and time that the incident was last updated. This is displayed, but cannot be modified.

    • Incident Category: The incident category, including Unauthorized Access, Denial of Service (DoS), Malicious Code, Improper Usage, Scans/Probes/Attempted Access, and Uncategorized.

    • MITRE Tech ID: The techniques associated with the incident. These can be added via the dropdown list, which organizes the techniques by domain and tactic.

    • Severity: The severity of the incident, including High, Medium, and Low.

    • Status: The current status of the incident, including New, Analysis, Response, Closed: Remediated, and Closed: False Positive.

    • Affected Endpoint: The endpoint associated with this incident. This is displayed, but cannot be modified.

    • Description: A description of the incident provided by the administrator.

    • Assigned To: A dropdown menu of administrators to which the incident can be assigned.

    After making modifications, click Update to save your changes.

    Affected Endpoint/User

    		 Information about the affected endpoint/user. When multiple endpoints/users are associated with the incident, the total number is displayed and you can click the forward or backwards arrow on the tile to cycle between them.

    Comments

    Displays comments made by administrators for this incident with a timestamp. The most recent comments appear at the top of the list.

    Enter a comment and click POST to create a new comment.

    Existing comments can be edited and deleted by administrators.

    Affected Assets

    Displays affected asset(s) in a table view. Includes the endpoint, user, IP address, and MAC address of the asset.

    Click a user in the User column to display endpoint information in a separate dialog.

    Incident Timeline

    The timeline of the events raised for the incident.

    Scroll using your mouse wheel to change the displayed time frame. Mouse over the event to display a tooltip of its details.

    Events

    Displays the events that have been raised for this incident in a table view. You can use the search bar to search for events; toggle Match Case and Use Regular Expression using the icons in the search bar.

    You can perform the following actions after selecting an event:

    • View Logs: Open the View Logs pane, display the related logs for the event in a table view.

    • Search in Log View: Open Log View filtered by the event in a new tab.

    • Delete: Delete the event.

    Audit History

    Displays the history of changes made to an incident, including the user who made the change and information about the type of change that was made.

    Click Expand All to see additional details.

    Executed Playbooks

    The history of executed playbooks related to the incident.

    Click Execute Playbook to run a playbook configured with the On_Demand trigger. See Automation.

    Indicators

    Displays indicators attached to an incident from FortiGuard, FortiMail, or event handlers.

    Hover your mouse over an indicator to view detailed information from FortiGuard or click Details under Results to view information from FortiMail including sender reputation and email statistics.

    Indicator information can be attached to incidents using the FortiGuard and FortiMail connector in playbooks, or when an incident is created from an event that includes indicators identified in the event handler.

    Reports

    Attach and manage reports related to this incident. The reports are displayed in a table view, listing the report name, format, time range, and devices.

    See Adding reports to an incident.

    Processes

    Displays endpoint processes associated with this incident including the process ID, process path, and network connection.

    Select a time period to view by choosing a snapshot from the snapshot dropdown.

    Processes can be displayed in a table format or as raw data.

    Software

    Displays endpoint software associated with this incident including the software, installation path, and installation time.

    Select a time period to view by choosing a snapshot from the snapshot dropdown.

    Software can be displayed in a table format or as raw data.

    Vulnerabilities

    Displays endpoint vulnerabilities associated with this incident including the vulnerability name, ID, severity, and category.

    Select a time period to view by choosing a snapshot from the snapshot dropdown.

    Vulnerabilities can be displayed in a table format or as raw data.

    Previous
    Next